Network access controller and method

By dynamically allocating client devices among network access controllers and using packet forwarding components for load balancing, the problem of overload or underutilization caused by changes in the load of network access controllers is solved, thus achieving stability and scalability of network services.

CN116436838BActive Publication Date: 2026-06-05FRONTIIR PTE LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
FRONTIIR PTE LTD
Filing Date
2019-08-21
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing network access controllers are difficult to dynamically adjust when the load changes, leading to overload or underutilization, and may cause network service interruption in the event of a failure.

Method used

Load balancing is achieved by dynamically allocating client devices among network access controllers, allowing the addition or removal of network access controllers, and using packet forwarding components for load balancing and IP mobility management.

Benefits of technology

It effectively prevents network access controllers from being overloaded or underutilized, ensuring the stability and scalability of network services and avoiding network connection interruptions.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116436838B_ABST
    Figure CN116436838B_ABST
Patent Text Reader

Abstract

Network access controllers and methods are provided. A cloud-based router with policy enforcement. In some embodiments, a system is provided. The system includes a plurality of access points. The plurality of access points receives data packets from a plurality of client devices. The system also includes a plurality of tunnel devices coupled to the plurality of access points. The plurality of tunnel devices generates encapsulated packets based on the data packets received by the plurality of access points. The system also includes a plurality of packet forwarding components coupled to the plurality of tunnel devices via a first set of tunnels. The plurality of packet forwarding components receives the encapsulated packets from the plurality of tunnel devices and forwards the encapsulated packets. The system also includes a plurality of network access controllers coupled to the plurality of packet forwarding components via a second set of tunnels. The plurality of network access controllers enforces one or more network policies for the plurality of client devices as the plurality of client devices move between the plurality of access points.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] This application is a divisional application of the invention patent application filed on August 21, 2019, with application number 201980068972.5 and title "Cloud-based Router with Policy Implementation". Technical Field

[0002] This invention relates to network architecture, and more specifically, to network architecture using a network access controller. Background Technology

[0003] Client devices (e.g., computing devices such as smartphones, laptops, tablets, etc.) can communicate with a network via an access point. For example, a tablet can communicate with the Internet (e.g., a network) via an access point such as a Wi-Fi access point. One or more network access controllers can provide network policy processing or enforcement functions for client devices and access points. For example, a network access controller can control how long a client device can access the network or the network bandwidth of the client device (e.g., throughput, download speed, upload speed, etc.). Summary of the Invention

[0004] According to one aspect of the present invention, a network access controller is provided, comprising: a memory for storing data; and a processing means coupled to the memory, the processing means being configured to: receive an encapsulated packet set from a packet forwarding component set; and implement one or more network policies for the client device set as the client device set moves between a set of access points, wherein: the network access controller is one of a plurality of network access controllers; each of the plurality of network access controllers implements a network policy for the corresponding client device set as the client device set moves between the set of access points; and the network access controller communicates data with the client device set via the packet forwarding component set and the tunneling device set.

[0005] According to another aspect of the present invention, a method for a network access controller is provided, comprising: receiving an encapsulated packet set from a packet forwarding component set by the network access controller; and implementing one or more network policies for the client device set by the network access controller when the client device set moves between a set of access points, wherein: the network access controller is one of a plurality of network access controllers; each of the plurality of network access controllers implements a network policy for the corresponding client device set when the corresponding client device set moves between the set of access points; and the network access controller communicates data with the client device set via the packet forwarding component set and the tunneling device set. Attached Figure Description

[0006] The described embodiments and their advantages can be best understood by referring to the following description taken in conjunction with the accompanying drawings. These drawings are in no way intended to limit any changes in form and detail that may be made to the described embodiments by those skilled in the art without departing from the spirit and scope thereof.

[0007] Figure 1 This is a block diagram illustrating an exemplary system architecture according to some embodiments of the present invention.

[0008] Figure 2 This is a block diagram illustrating an exemplary system architecture according to some embodiments of the present invention.

[0009] Figure 3 This is a block diagram of an exemplary packet forwarding component according to some embodiments of the present invention.

[0010] Figure 4 This is a flowchart of a packet forwarding method according to some embodiments of the present invention.

[0011] Figure 5 This is a block diagram illustrating an exemplary system architecture according to some embodiments of the present invention.

[0012] Figure 6 This is a block diagram illustrating an exemplary system architecture according to some embodiments of the present invention.

[0013] Figure 7 This is a flowchart of a packet forwarding method according to some embodiments of the present invention.

[0014] Figure 8 This is a block diagram illustrating an exemplary system architecture according to some embodiments of the present invention.

[0015] Figure 9 This is a flowchart of a packet forwarding method according to some embodiments of the present invention.

[0016] Figure 10 This is a block diagram of an exemplary computing device that can perform one or more of the operations described herein, according to some embodiments of the present invention. Detailed Implementation

[0017] Client devices (e.g., computing devices such as smartphones, laptops, tablets, etc.) can communicate with one or more networks via access points. For example, a tablet can communicate with the Internet (e.g., a network) via an access point (such as a Wi-Fi access point). One or more network access controllers can provide network policy processing or enforcement functions for client devices and access points. For example, a network access controller can control how long a client device can access the network or the client device's network bandwidth (e.g., throughput, download speed, upload speed, etc.).

[0018] As the number of client devices accessing one or more networks changes, the load on the network access controller may also change. For example, the number of client devices handled by the network access controller may decrease or increase based on the number of client devices that can use the access point at a given time. Dynamically adding or removing network access controllers can be difficult because they are typically configured to serve one or more access points. Additionally, different network access controllers may be deployed in different data centers or cloud computing platforms for resource or logical reasons. If a network access controller in a data center fails or is taken offline (e.g., for maintenance), there may be network service interruptions for client devices using those controllers.

[0019] This invention addresses the aforementioned and other drawbacks by assigning client devices to different network access controllers. As the number of client devices changes (e.g., as the number of client devices increases), the load can be distributed among the network access controllers to prevent overload or underutilization of the network access controllers. New network access controllers can be added, and existing network access controllers can be removed. Client devices can be assigned among the new or remaining network access controllers.

[0020] Figure 1 This is a block diagram illustrating an exemplary system architecture 100 according to some embodiments of the present invention. System architecture 100 includes a server system 110, an authentication server 150, an access point 130, and a client device 140. The server system 110, packet forwarding component 120, authentication server 150, access point 130, and client device 140 may be interconnected or coupled (e.g., communicatively coupled) to each other via one or more networks. One or more networks may transmit communications (e.g., data, messages, packets, frames, other suitable types or formats of data, etc.) between the server system 110, packet forwarding component 120, authentication server 150, access point 130, and client device 140. The network may be a public network (e.g., the Internet), a private network (e.g., a local area network (LAN) or a wide area network (WAN)) or a combination thereof. In one embodiment, the network may include wired or wireless infrastructure, which may be provided by one or more wireless communication systems (such as Wi-Fi hotspots connected to the network) and / or wireless bearer systems implemented using different data processing devices, communication towers (e.g., cell towers), etc.

[0021] A computing device can be a device that includes hardware such as processing devices (e.g., processors, central processing units (CPUs), memory (e.g., random access memory (RAM), storage devices (e.g., hard disk drives (HDDs), solid-state drives (SSDs)), and other hardware devices (e.g., sound cards, video cards, etc.). A computing device can include any suitable type of device or machine with a programmable processor, including, for example, server computers, desktop computers, laptop computers, tablet computers, smartphones, set-top boxes, etc. In some examples, a computing device can include a single machine or can include multiple interconnected machines (e.g., multiple servers configured in a cluster). Each computing device can execute or include an operating system (OS), as discussed in more detail below. The OS of the computing device can manage the execution of other components (e.g., software, applications, etc.) and / or can manage access to the hardware of the computing device (e.g., processors, memory, storage devices, etc.).

[0022] A virtual machine (VM) can be a software implementation (e.g., a software implementation of a computing device) of a machine that includes its own operating system (called a guest OS) and executes applications, software, and other software. A VM can execute on a hypervisor that runs on top of the computing device's OS (called the host OS). The hypervisor can also be called a virtual machine monitor (VMM). The hypervisor can be a component of the computing device's OS, can run on top of the OS, or can run directly on the host hardware without using the OS. The hypervisor can manage system resources, including access to hardware devices such as physical processing units (e.g., processors, CPUs, etc.), physical memory (e.g., RAM), storage devices (e.g., HDDs, SSDs), and / or other devices (e.g., sound cards, video cards, etc.). The hypervisor can also emulate hardware (or other physical resources) that can be used by the VM to execute software / applications. The hypervisor can also present an abstraction of one or more virtual machines (VMs) to other software (e.g., "guest" software). A VM can execute guest software that uses low-level emulation of physical resources (e.g., virtual processors and guest memory).

[0023] A container can be an isolated set of resources allocated for executing applications, software, and / or processes independently of other applications, software, and / or processes. Containers can run on a container engine that runs on top of the computing device's operating system. The host OS (e.g., the computing device's OS) can use namespaces to isolate container resources from each other. Containers can also be virtualized objects similar to virtual machines. However, containers may not implement a separate guest OS (such as a VM). Containers can share the host OS's kernel, libraries, and binaries with other containers running on the computing device. The container engine can allow different containers to share the computing device's host OS (e.g., OS kernel, binaries, libraries, etc.). For example, the container engine can reuse the host OS's binaries and / or libraries across multiple containers. The container engine can also facilitate interaction between containers and the computing device's resources. For example, the container engine can manage requests from containers to access the computing device's memory (e.g., RAM). In another example, the container engine can manage requests from containers to access certain libraries / binaries of the host OS. The container engine can also be used to create, remove, and manage containers. In one embodiment, the container engine can be a component of the host operating system. In another embodiment, the container engine can run on top of the host operating system, or it can run directly on the host hardware without using the host operating system.

[0024] In one embodiment, access point 130 may be a device at the boundary between a network service provider (e.g., an internet service provider, cable service provider, cellular service provider, etc.) and a consumer (e.g., a user of customer device 140). For example, access point 130 may be the boundary between the network service provider's network boundary and the consumer. In another embodiment, access point 130 may be a consumer premises equipment (CPE). CPE may refer to a device that can be installed or located outside the network service provider's network boundary. For example, CPE may be a wireless router (e.g., a network router) installed or located in the user's home.

[0025] like Figure 1As shown, server system 110 includes packet forwarding component 120 and network access controller 115. Packet forwarding component 120 and network access controller 115 can each be one or more computing devices, VMs, or containers. Packet forwarding component 120 and network access controller 115 can also reside on one or more computing devices, VMs, or containers (e.g., can be installed on them, can be executed on them, etc.). In one embodiment, server system 110 can be a data center or cloud computing architecture including multiple computing devices (such as server computers, etc.). In one embodiment, one of the network access controllers 115 can be a default network access controller, as discussed in more detail below. For example, the topmost network access controller 115 can be the default network access controller.

[0026] In one embodiment, a network access controller (e.g., network access controller 115, etc.) may perform various functions, actions, operations, etc., related to providing client device 140 with access to one or more networks (e.g., private or corporate networks, the Internet, public networks such as Wi-Fi networks in airports, coffee shops, train stations, etc., service provider networks, virtual network operators, and bearers, etc.). In one embodiment, the network access controller may authenticate or authorize client device 140 or its user. For example, the network access controller may communicate with authentication server 150 to determine whether to allow the user of client device 140 to access the network via access point 130, as discussed in more detail below. In another embodiment, the network access controller may provide network policy processing or enforcement functions. For example, the network access controller may determine the maximum throughput (e.g., maximum download speed) of a user or client device 140. In another example, the network access controller may determine the maximum amount of time or time period during which a user or client device 140 is allowed to access one or more networks (e.g., client device 140 may be allowed to access one or more networks for up to one hour, one day, or some other suitable time period). In another example, the network access controller can determine whether a user or client device 140 is allowed to access one or more server computers on a network. In one example, the network access controller can also control the type of data being sent or received. For example, since video data often uses more bandwidth, the network access controller can prevent video data from being sent or received. In some embodiments, group policy can be used to enforce network policies on a group of users or client devices 140. For example, group policy can be used to control download speeds, time limits, etc., for users registered in a specific subscription plan (e.g., an internet access subscription plan, a cable subscription plan, etc.) that allows users to access the network via access point 130.

[0027] In one embodiment, authentication server 150 may include, or may be coupled to, a data storage system including an authentication table that includes user identifiers (e.g., usernames, logins, email addresses, legitimate names, etc.) and the MAC addresses of network access controllers 115 associated with the user identifiers. For example, authentication server 150 may include an authentication table (or other type of data structure or format) that indicates the MAC address of a network access controller 115 associated with each user identifier (e.g., each username) in the table. The authentication table may include a list of all user identifiers of all users who are permitted to communicate with one or more networks (e.g., permitted to send data to and receive data from one or more networks). Data storage may be one or more devices capable of storing data. Examples of data storage include, but are not limited to, optical drives, hard disk drives (HDDs), solid-state drives (SSDs), random access memory (RAM), caches, databases, network attached storage (NAS) drives, portable hard drives, etc.

[0028] In one embodiment, the network access controller may encrypt data sent to access point 130 and decrypt data received from access point 130. For example, data sent by a server (e.g., a remote server) to client device 140 may be encrypted before being sent to access point 130 to protect the data from unauthorized access by other devices or users. In another example, data received from client device 140 may be decrypted before being sent to one or more networks. In another embodiment, the network access controller may also implement one or more conditions to allow a user of client device 140 to access one or more networks. For example, unless client device 140 has antivirus software installed, the network access controller may not allow client device 140 to access one or more networks.

[0029] In one embodiment, each network access controller 115 can instantiate and manage different Internet Protocol (IP) subnets. A subnet can be a logical division of an IP network. Different client devices 140 can be part of different subnets on which the client device 140 uses the network access controller 115. For example, a first client device 140 using the first network access controller 115 can be part of a first subnet, a second client device 140 using the second network access controller 115 can be part of a second subnet, and so on.

[0030] As discussed above, client device 140 can access one or more networks (e.g., the Internet, private or corporate networks, etc.) via access point 130. For example, access point 130 can be a wireless access point (e.g., a Wi-Fi access point) located in a store, coffee shop, office building, etc. Access point 130 can know the Media Access Control (MAC) address of the default network access controller 115. For example, access point 130 can receive messages with the MAC address of the default network access controller 115, or an administrator can store the MAC address of the default network access controller 115 in a configuration file or parameters. In one embodiment, access point 130 can receive packets (e.g., messages) from client device 140. Access point 130 can replace the destination MAC address of the packet with the MAC address of the default network access controller. Since the default network access controller 115 is located in server system 110 (e.g., within a data center or cloud computing architecture), access point 130 can replace the destination MAC address so that the packet is forwarded to server system 110.

[0031] In one embodiment, packets destined for server system 110 may be received by packet forwarding component 120 before being sent (e.g., forwarded) to network access controller 115. For example, when client device 140 sends a packet to server system 110, packet forwarding component 120 may first receive the packet and may forward the packet to one of network access controllers 115, as discussed in more detail below.

[0032] In one embodiment, client device 140 or a user can be authenticated by authentication server 150. For example, client device 140 or a user can send one or more authentication packets (e.g., one or more packets requesting authentication of the user or client device 140) to authentication server 150 via access point 130. The one or more authentication packets may include a user identifier (e.g., username) and a password (or some other suitable authentication information for authenticating the user or client device 140, such as a one-time password, the user's social security number, etc.). Access point 130 may send (e.g., forward) the one or more authentication packets to packet forwarding component 120, and packet forwarding component 120 may send (e.g., forward) the one or more authentication packets to authentication server 150. Authentication server 150 can authenticate the user identifier and password (or other suitable information for authenticating the user or client device 140), and if the user identifier and password are valid, can allow client device 140 or the user to access one or more networks. Authentication server 150 may send authentication packets indicating a response to authentication packets (e.g., authentication requests) received from the client device. For example, authentication server 150 can send a response to access point 130 indicating that the user has been successfully authenticated. Based on this response, access point 130 can allow client device 140 to access one or more networks.

[0033] In one embodiment, authentication server 150 may include attributes, fields, or parameters in the authentication packet (e.g., authentication response) sent to client device 140. Attributes may include a user identifier and the MAC address of the network access controller 115 associated with the user identifier. As described above, authentication server 150 may obtain the user identifier and the MAC address of the network access controller 115 associated with the user identifier based on a table. Authentication server 150 may add the user identifier and the MAC address of the network access controller 115 associated with the user identifier before sending the authentication packet to the client device.

[0034] In one embodiment, the authentication server 150 may be a Remote Authentication Dial-In User Service (RADIUS) server, and the authentication packet may be a RADIUS packet. Although the present invention may refer to RADIUS, a RADIUS server, or a RADIUS packet, other types of authentication servers, authentication protocols, authentication packets, etc., may be used in system architecture 100.

[0035] As described above, packet forwarding component 120 can receive packets sent by client device 140 and forward them to other devices or networks. Packet forwarding component 120 can forward packets between client device and authentication server 150. In one embodiment, packet forwarding component 120 can analyze authentication packets communicating between client device 140 and authentication server 150. Authentication packets communicating between client device 140 may include attributes, fields, parameters, etc., that indicate the network access controller in network access controller 115 that should be used for a user. For example, authentication packets may include attributes, fields, parameters, etc., indicating a user identifier and the MAC address of a specific network access controller 115 (which should be used for network policy processing or enforcement) for a specific user identified by the user identifier. These packets may also include the MAC address of the client device as the source MAC address when client device 140 sends the packet.

[0036] In one embodiment, packet forwarding component 120 may store the association between the MAC address of a client device and the MAC address of a specific network access controller 115. For example, packet forwarding component 120 may store the association between the MAC address of a client device and the MAC address of a specific network access controller 115 in an NAC table. In other embodiments, the NAC table may include the association between the MAC address of the client device, the MAC address of the network access controller 115, and a user's user identifier (e.g., a user identifier or a user of client device 140). The NAC table may be stored in a data store, which is included in or coupled to the network access controller 115.

[0037] In some embodiments, packet forwarding component 120 may obtain the NAC table or update the NAC table using various other methods, functions, operations, techniques, etc. For example, packet forwarding component 120 may receive the NAC table from other computing devices (e.g., other servers or databases) in comma-separated value (CSV) format or JavaScript open notation format.

[0038] In one embodiment, packet forwarding component 120 may receive packets from client device 140 via its ingress network interface (e.g., via a network port, network interface, etc.). The packets may be forwarded by access point 130 to server system 110 and may also be received by packet forwarding component 120. The packets may include a destination MAC address that is the MAC address of the default network access controller 115 (e.g., the MAC address set to the default network access controller 115). The packets may also include a source MAC address that is the MAC address of client device 140 (e.g., the MAC address set to the MAC address of client device 140).

[0039] In one embodiment, packet forwarding component 120 may access a NAC table (e.g., data indicating the association between user identifiers and the MAC addresses of network access controllers 115) and may determine or identify the MAC address of the network access controller 115 associated with the MAC address of client device 140. Packet forwarding component 120 may identify which network access controller 115 should receive packets from client device 140 based on the MAC address of the network access controller 115 associated with the MAC address of client device 140 (e.g., the source MAC address of packets sent by client device 140). Packet forwarding component 120 may update (e.g., change, modify) the destination MAC address of packets from the default network access controller's MAC address to the MAC address of the network access controller 115 associated with the MAC address of client device 140 based on the NAC table. Packet forwarding component 120 may then forward packets to the network access controller 115 associated with the MAC address of client device 140 via an egress network interface (e.g., via a network port, network interface, etc.).

[0040] In one embodiment, packet forwarding component 120 may receive a second packet from second client device 140, the second packet including the MAC address of a default network access controller 115 as the destination MAC address. Packet forwarding component 120 may determine or identify the source MAC address of the second packet that can indicate or identify the MAC address of the second client device 140. As described above, packet forwarding component 120 may identify the network access controller 115 associated with the MAC address of the second client device 140 based on an NAC table. Packet forwarding component 120 may update (e.g., change, modify) the destination MAC address of the second packet from the MAC address of the default network access controller to the MAC address of the network access controller 115 associated with the MAC address of the second client device 140. Packet forwarding component 120 may forward the second packet to the network access controller 115 associated with the MAC address of the second client device 140 (e.g., forward to the second network access controller).

[0041] Packet forwarding component 120 can update the NAC table to reassign client device 140 to different network access controllers 115 or reassociate it with different network access controllers 115 based on different algorithms, functions, parameters, criteria, conditions, etc. For example, the NAC can reassign client device 140 to network access controller 115 based on its utilization (e.g., reassociating client device 140 with an underutilized network access controller 115). In another example, packet forwarding component 120 can associate different client devices 140 with different network access controllers 115 based on the alphabetical order of the user's username. In a further example, packet forwarding component 120 can associate different client devices 140 with different network access controllers 115 based on the geographic region of the client device 140, based on the user's subscription, or by analyzing the access point 130 used by the client device 140.

[0042] In one embodiment, packet forwarding component 120 can perform load balancing functions for server system 110. For example, packet forwarding component 120 can forward packets from different client devices 140 to different network access controllers 115 to distribute packets across different network access controllers 115. This helps prevent network access controller 115 from being overloaded, helps prevent network access controller 115 from being underutilized, and allows for more efficient use of network access controller 115. In one embodiment, packet forwarding component 120 can be referred to as a load balancer. In another embodiment, packet forwarding component 120 can be referred to as a centralized load balancer because packet forwarding component 120 can be centrally located within server system 110 (e.g., in a data center, cloud computing architecture, etc.). In one embodiment, packet forwarding component 220 can forward packets to the same network access controller 215, regardless of which access point 230 the client device 240 is connected to. This allows Internet Protocol (IP) mobility. For example, this can allow system architecture 200 to keep client device 240 connected to the same IP subnet when client device 240 moves (e.g., roams) from one access point 230 to another access point 230. Keeping client device 240 connected to the same subnet can prevent interruption or disconnection of network connectivity or client sessions between client device 240 and other devices (e.g., server computers, other client devices, etc.).

[0043] In one embodiment, packet forwarding component 120 may also allow network access controller 115 to be added to or removed from system architecture 100. For example, network access controller 115 may be added, and client devices 140 associated with other network access controllers 115 may be associated with the new network access controller 115. In another example, network access controller 115 may be removed, and client devices 140 associated with the removed network access controller 115 may be associated with the remaining network access controllers 115. Reassigning client devices 140 to different network access controllers 115 or reassociating them with different network access controllers 115 allows system architecture 100 to scale up or down based on the number of client devices 140 and access points.

[0044] Figure 2 This is a block diagram illustrating an exemplary system architecture 200 according to some embodiments of the present invention. System architecture 200 includes a server system 210, an authentication server 250, an access point 230, and a client device 240. As described above, the server system 210, authentication server 250, access point 230, and client device 240 may be interconnected or coupled to each other (e.g., communicatively coupled) via one or more networks. One or more networks may transmit communications (e.g., data, messages, packets, frames, other suitable types or formats of data, etc.) between the server system 210, authentication server 250, access point 230, and client device 240.

[0045] like Figure 2 As shown, server system 210 includes packet forwarding component 220 and network access controller 215. As described above, each network access controller 215 can be one or more computing devices, VMs, or containers. In one embodiment, server system 210 can be a data center or cloud computing architecture including multiple computing devices (such as server computers). In one embodiment, as described above, one of the network access controllers 215 can be a default network access controller.

[0046] In one embodiment, as described above, the network access controller (e.g., network access controller 215, etc.) can perform various functions, actions, operations, etc., related to providing client device 240 with access to one or more networks (e.g., private or corporate networks, the Internet, etc.). In one embodiment, the network access controller can encrypt data sent to access point 230 and decrypt data received from access point 230. In another embodiment, the network access controller can also implement one or more conditions for allowing a user of client device 240 to access one or more networks. In some embodiments, each network access controller 215 can instantiate and manage different IP subnets.

[0047] In one embodiment, authentication server 250 may include, or may be coupled to, a data store that includes an authentication table, which includes user identifiers (and, as described above, the MAC addresses of network access controller 215 associated with the user identifiers). The authentication table may include a list of all user identifiers of all users permitted to communicate with one or more networks.

[0048] In one embodiment, a packet sent to server system 210 may be received by packet forwarding component 220 before being sent (e.g., forwarded) to network access controller 215. For example, when client device 240 sends a packet to server system 210, packet forwarding component 220 may first receive the packet and may forward the packet to one of network access controllers 215, as discussed in more detail below.

[0049] In one embodiment, client device 240 or a user can be authenticated by authentication server 250. For example, client device 240 or a user can send one or more authentication packets (e.g., one or more packets requesting authentication of the user or client device 240) to authentication server 250 via access point 230. These one or more authentication packets may include a user identifier (e.g., username) and a password (or some other suitable information for authenticating the user or client device 240, such as a one-time password, the user's social security number, etc.). Access point 230 may send (e.g., forward) the one or more authentication packets to packet forwarding component 220, and packet forwarding component 220 may send (e.g., forward) the one or more authentication packets to authentication server 250. Authentication server 250 can authenticate the user identifier and password (or other suitable information for authenticating the user or client device 240), and if the user identifier and password are valid, it may allow client device 240 or the user to access one or more networks. Authentication server 250 may send authentication packets indicating a response to authentication packets (e.g., authentication requests) received from the client device. For example, authentication server 250 can send a response to access point 230 indicating that the user has been successfully authenticated. Access point 230 can then allow client device 240 to access one or more networks based on this response.

[0050] In one embodiment, authentication server 250 may include attributes, fields, or parameters in the authentication packet (e.g., authentication response) sent to client device 240. Attributes may include a user identifier and the MAC address of the network access controller 215 associated with the user identifier. As described above, authentication server 250 may obtain the user identifier and the MAC address of the network access controller 215 associated with the user identifier based on a table. Authentication server 250 may add the user identifier and the MAC address of the network access controller 215 associated with the user identifier before sending the authentication packet to the client device.

[0051] In one embodiment, authentication server 250 may be a Remote Authentication Dial-In User Service (RADIUS) server, and authentication packets may be RADIUS packets. Although the present invention may refer to RADIUS, RADIUS servers, or RADIUS packets, other types of authentication servers, authentication protocols, and authentication packets may be used in system architecture 200.

[0052] like Figure 2 As shown, each access point 230 includes a packet forwarding component 220. The packet forwarding component 220 can receive packets sent by the client device 240 and forward them to other devices or the network. The packet forwarding component 220 can forward packets between the client device 240 and the authentication server 250. In one embodiment, as described above, the packet forwarding component 220 can analyze the attributes, fields, parameters, etc., of authentication packets communicating between the client device 240 and the authentication server 250 to identify the network access controller in the network access controller 215 that should be used by the user.

[0053] In one embodiment, as described above, packet forwarding component 220 may store the association between the MAC address of a client device and the MAC address of a specific network access controller 215 in an NAC table. In other embodiments, the NAC table may include an association between the MAC address of the client device, the MAC address of the network access controller 215, and the user's user identifier (e.g., a user identifier or the user of the client device 240).

[0054] In some embodiments, access point 230 may be configured or managed by a management server. The management server may provide access point 230 with a NAC table as part of the management of access point 230. For example, the management server may update the settings or configuration of access point 230. The management server may send a copy of the NAC table to access point 230, and access point 230 may store the NAC table in a data store (e.g., in memory, flash memory, etc.).

[0055] In one embodiment, packet forwarding component 220 may receive packets from client device 240, and the packets may include a destination MAC address that is the MAC address of the default network access controller 215 (e.g., the MAC address set to the default network access controller 215). The packets may also include a source MAC address that is the MAC address of client device 240 (e.g., the MAC address set to the MAC address of client device 240).

[0056] In one embodiment, packet forwarding component 220 can access a NAC table and determine or identify the MAC address of network access controller 215 associated with the MAC address of client device 240. Based on the NAC table, packet forwarding component 220 can update the destination MAC address of the packet from the default network access controller's MAC address to the MAC address of network access controller 215 associated with the MAC address of client device 240. Packet forwarding component 220 can then forward the packet to network access controller 215 associated with the MAC address of client device 240.

[0057] In one embodiment, packet forwarding component 220 may receive a second packet from second client device 240, the second packet including the MAC address of a default network access controller 215 as the destination MAC address. Packet forwarding component 220 may determine or identify the source MAC address of the second packet that can indicate or identify the MAC address of the second client device 240. As described above, packet forwarding component 220 may identify the network access controller 215 associated with the MAC address of the second client device 240 based on an NAC table. Packet forwarding component 220 may update (e.g., change, modify) the destination MAC address of the second packet from the MAC address of the default network access controller to the MAC address of the network access controller 215 associated with the MAC address of the second client device 240. Packet forwarding component 220 may forward the second packet to the network access controller 215 associated with the MAC address of the second client device 240 (e.g., forward to the second network access controller).

[0058] Packet forwarding component 220 can update the NAC table to reassign client devices 240 to different network access controllers 215 or reassociate them with different network access controllers 215 based on different algorithms, functions, parameters, criteria, conditions, etc. In one embodiment, as described above, packet forwarding component 220 can perform load balancing functions for server system 210. This can help prevent network access controller 215 from being overloaded, help prevent network access controller 215 from being underutilized, and allow for more efficient use of network access controller 215. In one embodiment, packet forwarding component 120 can be referred to as a load balancer. In another embodiment, packet forwarding component 120 can be referred to as a distributed or distributed load balancer because packet forwarding component 120 is distributed across different access points 230.

[0059] In one embodiment, when packet forwarding component 120 updates the destination MAC address to the MAC address of network access controller 215 associated with the MAC address of client device 240, packet forwarding component 120 can help prevent Layer 2 MAC broadcast frames from entering server system 210. This helps server system 210 by preventing broadcast packets from flooding server system 210 (or the network included in or coupled to server system 210). By removing broadcasts, server system 210 can be protected from a type of security vulnerability known as Address Resolution Protocol (ARP) poisoning. For example, client device 240 can be protected from ARP poisoning. Furthermore, removing broadcasts can allow the system architecture to scale to a large number of access points 230 on the same Layer 2 (L2) network. For example, thousands, millions, or some other suitable number of access points 230 can be on the same L2 network when broadcast packets are not used.

[0060] Figure 3 This is a block diagram of an exemplary packet forwarding component 120 according to some embodiments. The packet forwarding component 120 includes a processing device 310 (e.g., a processor, central processing unit, multi-core processor, multiple processors, etc.). The packet forwarding component 120 also includes a memory 320 (e.g., data storage) coupled to the processing device 310.

[0061] The authentication bridge 330 is coupled to the processing unit 310. The authentication bridge 330 may be connected to an authentication server (e.g., via a network interface 350) via a network interface 350. Figure 1 The authentication server 150 shown may include hardware, firmware, software, or a combination thereof for communication packets (such as authentication packets). For example, the authentication bridge 330 may include a bus, queue, etc., that can be used to communicate packets with the authentication server.

[0062] Protocol bridge 340 is coupled to processing device 310. Protocol bridge 340 can be hardware, firmware, software, or a combination thereof for communicating packets with one or more networks or devices (e.g., computing devices, servers, etc.). For example, an authentication bridge may include a bus, queue, etc., that can be used to receive packets from client devices.

[0063] Network interface 350 may be an interface or port capable of receiving data from or sending data to one or more networks or devices. In one embodiment, network interface 350 may be an ingress interface for receiving data (e.g., messages, packets, frames, etc.). In another embodiment, network interface 350 may be an egress interface for sending data. In a further embodiment, network interface 350 may be both an egress interface and an ingress interface.

[0064] Figure 4 This is a flowchart of a packet forwarding method 400 according to some embodiments of the present invention. Method 400 may be performed by processing logic, which may include hardware (e.g., circuitry, dedicated logic, programmable logic, processor, processing device, central processing unit (CPU), system-on-a-chip (SoC), etc.), software (e.g., instructions that run / execute on the processing device), firmware (e.g., microcode), or a combination thereof. In some embodiments, method 400 may be performed by a packet forwarding component, an access point, and / or a computing device.

[0065] Method 400 begins at box 405, where it receives an authentication packet (e.g., a RADIUS packet) from the client device. At box 410, method 400 analyzes the authentication packet and determines one or more of the following: user authentication information (e.g., username, password, user identifier, etc.), the client device's MAC address, and the MAC address of the network access controller associated with (e.g., associated with the client device) the client device's MAC address. At box 415, method 400 stores the association between the client device's MAC address and the network access controller's MAC address in a table.

[0066] At box 420, method 400 can receive a packet from the client device. For example, the client device can send the packet to another network or other device. The destination MAC address of the packet can be the MAC address used by the default network access controller. At box 425, method 400 can identify the source MAC address of the packet. At boxes 430 and 435, method 400 can access the table to identify the network access controller and the MAC address of the network access controller associated with the client device's MAC address based on the table. At box 440, method 400 can update the destination MAC address of the packet from the default network access controller's MAC address to the MAC address of the network access controller associated with the client device. At box 445, method 400 can forward the packet to the network access controller associated with the client device.

[0067] Figure 5 This is a block diagram illustrating an exemplary system architecture 500 according to some embodiments of the present invention. System architecture 500 includes a server system 510, an authentication server 550, a tunneling device 560, an access point 530, and a client device 540. The server system 510, authentication server 550, access point 530, tunneling device 560, and client device 540 may be interconnected or coupled to each other (e.g., communicatively coupled) via one or more networks. Server system 510 includes a network access controller 515 and a packet forwarding component 520. Network access controller 515 and packet forwarding component 520 may also be interconnected or coupled to each other via one or more networks. One or more networks may transmit communication (e.g., messages, packets, frames, etc.) between server system 510, authentication server 550, access point 530, tunneling device 560, and client device 540. The one or more networks may include combinations of public networks, private networks, wide area networks, metropolitan area networks, wired networks, wireless networks, etc.

[0068] In one embodiment, server system 510 may reside in one or more data centers or cloud computing architectures (e.g., a cloud) that include multiple computing devices (such as server computers). For example, some network access controllers 515 and some packet forwarding components 520 may reside in different data centers or clouds. In another example, all network access controllers 515 and packet forwarding components 520 may reside in the same data center or cloud.

[0069] Network access controller 515, packet forwarding component 520, tunneling device 560, access point 530, client device 540, and authentication server 550 can each be one or more of a computing device, a VM, or a container. As described above, a computing device can be a device that includes hardware such as processing devices (e.g., processors, memory (e.g., RAM), storage devices (e.g., HDDs, SSDs), and other hardware devices (e.g., video cards). A computing device can include any suitable type of device or machine with a programmable processor. A VM can be a software implementation of a computing device that includes its own operating system (called a guest OS) and executes applications, software, and applications. A VM can run on a hypervisor capable of managing system resources, including access to hardware devices (e.g., physical processors, physical memory, or storage devices). The hypervisor can also emulate physical resources or hardware that can be used by the VM to execute software / applications. As described above, a container can be an isolated set of resources allocated to execute applications, software, and / or processes independently of other applications, software, and / or processes. Containers can run on a container engine that runs on top of the computing device's OS. This container engine can allow different containers to share the computing device's host OS (e.g., OS kernel, binaries, libraries, etc.).

[0070] refer to Figure 1 Packet forwarding component 120 can receive packets from one or more access points 130. Each access point 130 can forward packets to packet forwarding component 120. In certain situations or conditions, a single or central packet forwarding component (such as...) is used. Figure 1 (As shown) This may lead to bottlenecks or slowdowns in packet processing or forwarding. For example, if a single packet forwarding component 120 is used in system architecture 100, that single packet forwarding component 120 may be the only device to process packets from all access points 130 or forward them to network access controller 115. Therefore, the amount of packets that can be processed or forwarded may be limited by the capabilities or resources of packet forwarding component 120. For example, the capabilities or resources of a single packet forwarding component 120 may be a limiting factor (e.g., a bottleneck) in the amount of packets that can be processed and sent using system architecture 100.

[0071] One way to increase the capabilities of system architecture 100 is through vertical scaling. Vertical scaling can refer to adding or increasing the capabilities or resources of a single packet forwarding component 120. For example, the capabilities or resources of packet forwarding component 120 can be vertically scaled by adding additional processing devices (e.g., processors or CPUs), adding faster or additional memory, adding dedicated hardware devices (such as dedicated network interface cards or network controllers), or adding more complex operating systems / software to optimize memory access and interrupt handling with low latency and high speed. However, there may be limitations on how much a single packet forwarding component 120 can be vertically scaled. For example, there are limitations on the number of processing devices, the amount of memory, etc., that can be added to a single packet forwarding component 120.

[0072] Another way to increase the capabilities of system architecture 100 is through horizontal scaling. Horizontal scaling can refer to adding additional packet forwarding components to system architecture 100. For example, dozens, hundreds, or thousands of packet forwarding components can be added to system architecture 100. Horizontal scaling allows for better scaling of the resources and capabilities of system architecture 100. For example, each of the multiple packet forwarding components can forward or process packets from a subset of access points 130. Therefore, packet forwarding or processing is distributed among multiple packet forwarding components, rather than a single packet forwarding component 120. Horizontal scaling can be a more efficient method for increasing the capabilities of system architecture 100 and can allow for greater scalability in the future (e.g., allowing for the addition of an unlimited number of packet forwarding components and network access controllers).

[0073] However, simply adding additional packet forwarding components to system architecture 100 may lead to more difficulties, problems, and challenges for system architecture 100. For example, system architecture 100 may use Layer 2 or data link layer packets (e.g., Ethernet frames). If the network devices (e.g., switches, routers, etc.) or links (e.g., data links, connections, etc.) interconnecting access point 130, packet forwarding component 120, and network access controller 115 become unavailable, the system architecture may find it more difficult to reroute Layer 2 packets. For example, if the switch between access point 130 and packet forwarding component 120 becomes unavailable, system architecture 100 may find it difficult to reroute packets through other network devices. Furthermore, because system architecture 100 can directly forward Layer 2 or data link layer packets between access point 130, packet forwarding component 120, and network access controller 115, the network devices interconnecting access point 130, packet forwarding component 120, and network access controller 115 can store the MAC addresses of many or all client devices 140 in the system architecture. This could lead network devices to use more space in their forwarding tables to store the MAC addresses of many or all client devices. The purchase or operation of network devices capable of storing client device MAC addresses can be more expensive. Furthermore, if Layer 2 packets are used between access point 130, multiple packet forwarding components, and network access controller 115, duplicate Layer 2 packets may be forwarded to the same network access controller 115. For example, if access point 130 broadcasts Layer 2 packets to multiple packet forwarding components 120, each packet forwarding component 120 can forward the Layer 2 packets to the same network access controller 115, resulting in duplicate Layer 2 packets arriving at network access controller 115. Duplicate Layer 2 packets can waste network capacity or bandwidth in network system 110. Additionally, network access controller 115 may waste computational or storage resources determining which Layer 2 packets are duplicates. While access point 130 could be modified to selectively cycle through (e.g., from the first packet forwarding component 120 to the last packet forwarding component) or randomly select packet forwarding components, this would increase the complexity or cost of access point 130. Additionally, some access points 130 may not support this feature or function (e.g., random selection packet forwarding component 120).

[0074] In one embodiment, access point 530 may be a device at the boundary between a network service provider (e.g., an internet service provider) and a consumer (e.g., a user of customer device 540). Access point 530 may represent the boundary between the network service provider's network boundary and the consumer. Examples of access point 530 may be CPEs installed or located in the user's home, such as wireless routers, cable modems, digital subscriber line (DSL) modems, etc.

[0075] As described above, client device 540 can access one or more networks (e.g., the Internet, private or corporate networks, etc.) via access point 530 (e.g., a Wi-Fi access point located in a shop, coffee shop, office building, etc.). Access point 530 can receive Layer 2 packets or data link layer packets from client device 540. Access point 530 can forward Layer 2 packets or data link layer packets to tunnel device 560. As described above, access point 530 can know the Media Access Control (MAC) address of the default network access controller 515. In one embodiment, as described above, access point 530 can modify, update, etc., the destination MAC address of Layer 2 packets (e.g., data link layer packets) using the MAC address of the default network access controller. Access point 530 can forward the modified Layer 2 packets to tunnel device 560.

[0076] like Figure 5 As shown, multiple access points 530 can be coupled (e.g., communicatively coupled) to tunneling devices 560. For example, each tunneling device 560 can be coupled to a set of access points 530. The set of access points 530 can be located in a geographic area or location. For example, the set of access points can be located within several city blocks, a community, etc. Therefore, each tunneling device 560 can receive Layer 2 packets from client devices 540 located within a geographic area or location.

[0077] In one embodiment, tunneling device 560 may be connected to one of packet forwarding components 520 via a tunnel. A tunnel may be a communication channel that encapsulates packets received at a first end of a communication channel and then forwards or sends the encapsulated packets to a second end via the communication channel. An encapsulated packet may be a packet that includes another packet in its payload. Various types of tunnels or tunneling protocols can be used for tunneling. For example, a tunnel may be a Secure Shell (SSH) tunnel, a Virtual Private Network (VPN) tunnel, a Layer 2 Tunneling Protocol (L2TP) tunnel, a Generic Routing Encapsulation (GRE) tunnel, a Virtual Extensible LAN (VXLAN) tunnel, etc.

[0078] In one embodiment, tunneling device 560 can receive Layer 2 packets from a set of access points 530 and can encapsulate these packets to generate encapsulated packets. For example, tunneling device 560 can generate encapsulated packets based on Layer 2 packets received from access points 530. The encapsulated packets can be Layer 3 packets. For example, the encapsulated packets can be IP packets, which include Layer 2 packets (e.g., Ethernet frames) in their payloads. Therefore, the encapsulated packets can belong to a higher network layer than Layer 2 packets. For example, referring to the Open Systems Interconnection (OSI) model, Layer 2 packets can belong to the data link layer, while the encapsulated packets can belong to the network layer. Tunneling device 560 can be coupled to one of packet forwarding components 520 via a tunnel. Tunneling device 560 can forward or send encapsulated packets to packet forwarding component 520 via the tunnel.

[0079] In one embodiment, tunneling can allow tunneling device 560 to more easily reconnect to different packet forwarding components 520. If tunneling device 560 is coupled to a first packet forwarding component 520 via a tunnel, and the first packet forwarding component 520 becomes inoperable or unavailable (e.g., crashes, restarts, fails, etc.), tunneling device 560 can connect to a second packet forwarding component 520 via a second tunnel. For example, tunneling device 560 can automatically establish a second tunnel using the second packet forwarding component 520. In another example, packet forwarding component 520 can receive data (e.g., a message) instructing tunneling device 560 which other packet forwarding component 520 should use. Tunneling device 560 can send encapsulated packets to packet forwarding component 520 via the appropriate tunnel. The encapsulated packets may include a destination MAC address as the MAC address of the default network access controller 515 and a source MAC address as the MAC address of the client device 540.

[0080] In one embodiment, tunneling device 560 can help reduce the number of connections, communication channels, tunnels, etc., that can be coupled to packet forwarding component 520. For example, by aggregating multiple access points 530 via tunneling device 560, each access point 530 is not coupled to packet forwarding component 520. This allows packet forwarding component 520 to have a single connection to tunneling device 560, rather than multiple connections to access points 530 coupled to tunneling device 560. For example, if there are thirty access points 530 coupled to tunneling device 560, packet forwarding component 520 may be able to receive packets from all thirty access points 530 via a single tunnel to the tunneling device, rather than via thirty connections to each individual access point 530.

[0081] As described above, packet forwarding component 520 can perform load balancing functions for server system 510. In one embodiment, packet forwarding component 520 can forward packets from a client device to the same network access controller 515, regardless of which access point 530 the client device is connected to. Packet forwarding component 520 can determine which network access controller 515 to forward packets to based on the NAC table. Packet forwarding component 520 can be coupled to network access controller 515 via one or more tunnels.

[0082] In another embodiment, packet forwarding component 520 may also allow network access controller 515 to be added to or removed from system architecture 500. For example, network access controller 515 may be added or removed, and one or more client devices 540 may be reassociated with or reassigned to different network access controllers 515 after the addition or removal of network access controller 515. A tunnel between tunnel device 560 and the removed network access controller 515 may be redirected or re-established using another network access controller 515. Reassigning or reassociating client devices 540 with different network access controllers 515 allows system architecture 500 to scale up or down based on the number of client devices 540 and access points.

[0083] In one embodiment, network access controller 515 may perform various functions, actions, operations, etc., related to providing client device 540 with access to one or more networks (e.g., private or corporate networks, the Internet, public Wi-Fi networks, service provider networks, etc.). Network access controller 515 may authenticate or authorize client device 540 before providing access to one or more networks (e.g., access to the Internet) to client device 540. In another embodiment, network access controller may provide network policy processing or enforcement functions (e.g., enforcing maximum download speeds, enforcing data limits, etc.). In some embodiments, group policies may be used to enforce network policies on a group of users or client devices 540. For example, group policies can be used to control download speeds, time limits, etc., for multiple users registered in a specific subscription plan (e.g., Internet access subscription plan, family plan, sharing plan, group subscription, etc.).

[0084] In one embodiment, network access controller 515 may allow one or more client devices 540 to access other networks via network access controller 515. For example, network access controller 515 may allow client devices to send and receive data (e.g., packets) to and from the Internet, private enterprise networks, etc. Because packets communicating between client devices 540 and other networks are routed through network access controller 515, this may allow network access controller 515 to act as a central entity or component similar to a router (e.g., a home router, DSL mode, cable mode, etc.) that enforces network policies or group policies on one or more client devices 540.

[0085] In one embodiment, as described above, network access controller 515 can encrypt data sent to access point 540 and decrypt data received from access point 540. In another embodiment, each network access controller 515 can be instantiated and can manage different Internet Protocol (IP) subnets (e.g., logical partitions of an IP network). Different client devices 540 can be part of different subnets on which the client device 540 uses the network access controller 515.

[0086] In one embodiment, authentication server 150 may use an authentication table to authenticate client device 540. The authentication table may include user identifiers (e.g., username, login, email address, legal name, etc.) and the MAC address of the network access controller 515 associated with the user identifiers. The authentication table may associate the MAC address of the network access controller 515 with each user identifier. The authentication table may include a list of user identifiers of users permitted to communicate (e.g., send or receive packets) with one or more networks via the network access controller 515. Client device 540 may send one or more authentication packets (e.g., one or more packets requesting authentication of a user or client device 540) to authentication server 150 via access point 530. The one or more authentication packets may include credentials (e.g., user identifier, password, etc.). Access point 530 may send (e.g., forward) the one or more authentication packets to packet forwarding component 520, and packet forwarding component 520 may send (e.g., forward) the one or more authentication packets to authentication server 550. Authentication server 150 can authenticate user identifiers and passwords (or other appropriate information used to authenticate users or client device 540), and if the user identifier and password are valid, can allow client device 540 or the user to access one or more networks. Authentication server 550 can send authentication packets indicating a response to authentication packets (e.g., authentication requests) received from the client device. For example, authentication server 550 can send a response to access point 530 indicating that the user has been successfully authenticated. Access point 530 can then allow client device 540 to access one or more networks based on the response.

[0087] In one embodiment, authentication server 550 may store or record attributes, fields, or parameters in authentication packets (e.g., authentication responses) sent to and from client device 540. Attributes may include a user identifier and the MAC address of the network access controller 515 associated with the user identifier. Authentication server 550 may add the user identifier and the MAC address of the network access controller 515 associated with the user identifier before sending the authentication packet to the client device. Authentication server 550 may also store the MAC address of the client device 540 that sent the authentication packet. The user identifier, the MAC address of the network access controller 515, and the MAC address of the client device 540 may be associated with each other and stored in a table (e.g., stored as rows in a table). In one embodiment, authentication server 550 may be a RADIUS server, and the authentication packet may be a RADIUS packet. Other types of authentication servers, authentication protocols, authentication packets, etc., may be used in system architecture 500.

[0088] In one embodiment, when processing a packet from client device 540, network access controller 515 can use attributes stored in a table in authentication server 550. For example, network access controller 515 can use the client's MAC address stored in the table to determine which user identifier is associated with that MAC address. This can allow network access controller 515 to identify the subscription or plan of the client's MAC address (e.g., client device 540).

[0089] In one embodiment, multiple authentication servers (not shown) can be used. Each of the multiple authentication servers can be associated with a different group of network access controllers 515. For example, a specific network access controller 515 can forward authentication packets to a specific authentication server. This association between the network access controller 515 and the authentication servers allows the network access controller 515 to continue identifying the user's subscription based on the client's MAC address, even when multiple authentication servers are used.

[0090] As described above, packet forwarding component 520 can receive packets sent by client device 540 and forward the packets to other devices or networks. Packet forwarding component 520 can forward packets between client device and authentication server 150. In one embodiment, packet forwarding component 520 can analyze authentication packets communicating between client device 540 and authentication server 550. Authentication packets communicating between client device 540 may include attributes, fields, parameters, etc., that indicate the network access controller in network access controller 515 that should be used for the user. For example, authentication packets may include attributes, fields, parameters, etc., indicating a user identifier and the MAC address of a specific network access controller 515 (that should be used for network policy processing or enforcement) for a specific user identified by the user identifier. The packet may also include the MAC address of the client device as the source MAC address when client device 540 sends the packet.

[0091] In one embodiment, packet forwarding component 520 can establish tunnels (e.g., GRE tunnels, VPN tunnels, L2TP tunnels, etc.) with one or more tunneling devices 560 (e.g., one tunnel per tunneling device 560). Packet forwarding component 520 or tunneling device 560 can initiate tunnel establishment. Packet forwarding component 520 can also establish tunnels with one or more network access controllers 515. For example, packet forwarding component 520 can establish tunnels to each network access controller 515. In another example, packet forwarding component 520 can establish one or more tunnels to a subset of network access controllers 515. Packet forwarding component 520 or network access controller 515 can initiate tunnel establishment.

[0092] In one embodiment, packet forwarding component 520 can receive encapsulated packets from tunnel device 560 via a tunnel between packet forwarding component 520 and tunnel device 560. As described above, tunnel device 560 can generate encapsulated packets based on data packets (e.g., Layer 2 packets) received from client device 540. The encapsulated packets can be higher-layer packets (e.g., Layer 3 or network layer packets), and the payload of the encapsulated packets can include lower-layer packets (e.g., Layer 2 or data link layer packets).

[0093] Packet forwarding component 520 can access an NAC table to determine which of the network access controllers 515 should receive the encapsulated packet (e.g., to which network access controller 515 to forward the encapsulated packet). The NAC table may include data indicating associations between one or more of a user identifier, the MAC address of the client device 540, and the MAC address of the network access controller 515. These associations can indicate which of the multiple network access controllers 515 should be used for a particular client device 540 or user. For example, these associations can indicate which packet forwarding component 520 has been assigned to or is suitable for the client device 540. Packet forwarding component 520 can update or modify the destination MAC address of the packet from the default network access controller's MAC address to the appropriate network access controller 515 associated with the client device 540's MAC address based on the NAC table. Packet forwarding component 520 can then forward the packet to the network access controller 515 associated with the client device's MAC address. In some embodiments, as described above, packet forwarding component 520 may obtain the NAC table or may update the NAC table. For example, packet forwarding component 520 may receive NAC tables from other computing devices (e.g., server computers) in CSV, JSON, or Extensible Markup Language (XML) format. In another example, packet forwarding component 520 may receive NAC tables based on user input received from a user (e.g., a network administrator) via an interface (e.g., via a graphical user interface (GUI), command-line interface (CLI), etc.). The NAC tables of packet forwarding component 520 may also be updated. For example, the server computer may periodically send new NAC tables to packet forwarding component 520. As described above, packet forwarding component 520 may update NAC tables to reassign client devices 540 to different network access controllers 515 or reassociate them with different network access controllers 515 based on different algorithms, functions, parameters, criteria, conditions, etc. In one embodiment, the NAC table or packet forwarding component 520 may associate different client devices 540 with different network access controllers 515 based on the geographical region of the client devices 540. For example, all client devices 540 within a geographic area (e.g., several blocks, cities, counties, states, provinces, etc.) can be assigned to or associated with a particular network access controller 515. In another embodiment, the NAC table or packet forwarding component 520 can associate different client devices 540 with different network access controllers 515 based on different subscriptions or network plans. For example, multiple client devices 540 may be part of a group plan (e.g., a family plan). Client devices 540 in a group plan can be assigned to or associated with the same network access controller 515. In another example, client devices 540 associated with different subscription levels can be associated with different network access controllers 515.Client devices 540 using more expensive subscription plans (e.g., subscription plans that allow faster speeds or throughput, higher data limits, or higher data usage) can be assigned to or associated with a first network access controller. Client devices 540 using cheaper subscription plans (e.g., subscription plans that allow lower speeds or throughput, lower data limits, or lower data usage) can be assigned to or associated with a second network access controller 515. This allows server system 510 to prioritize packets or services when network congestion or reduced network capacity occurs (e.g., packets from client devices on more expensive subscription plans may be prioritized). In another example, certain types of subscriptions can be grouped or associated with certain network access controllers 515. For example, certain subscription plans are for users streaming video or playing video games. These video game or streaming video subscription plans can be associated with certain network access controllers 515 specifically assigned to process and forward packets for streaming video or video games. In another example, certain users can be beta testers who can be grouped to certain network access controllers 515 capable of providing users with access to different features or services.

[0094] In one embodiment, packet forwarding component 520 may forward or send encapsulated packets to network access controller 515 identified or selected based on the NAC table. Packet forwarding component 520 may send encapsulated packets to the identified network access controller 515 via a tunnel between packet forwarding component 520 and the identified network access controller 515. In some embodiments, as discussed in more detail below, packet forwarding component 520 may forward packets to the same network access controller 515 regardless of which access point 530 the client device 540 is connected to. As mentioned above, the user or client device 540 may be part of a group or subscription plan. In other embodiments, in the NAC table, client device 540 or a user who is part of the same group may be associated with the same network access controller 515. This may allow packets (e.g., data packets or Layer 2 packets) from client device 540 in the same group or subscription plan to be forwarded to the same network access controller 515. As discussed in more detail below, since packets from client devices in the same group or subscription plan are forwarded to the same network access controller 515, this allows system architecture 500 to more easily implement network policies or group policies for client devices 540 in that group.

[0095] In one embodiment, client device 540 or a user can be part of multiple groups. For example, client device 540 can be associated with different group subscriptions. Client device 540 can be part of a first group subscription for the user's work and can be part of a second group subscription for the user's home. Based on whether client device 540 is part of multiple group subscriptions or group policies, network access controller 515 can determine which group policy should be applied. For example, if client device 540 is located at the user's workplace, the first group subscription is used. If client device 540 is located at the user's home, the second group subscription can be used.

[0096] In one embodiment, different client devices 540 can be assigned to different network access controllers 515. For example, client devices 540 assigned to network access controller 515 can be referred to as client groups. A client group can include client devices 540 from multiple groups or group subscriptions. Additionally, the client groups of network access controller 515 can be modified. For example, a network administrator can add or remove client devices 540 from a client group.

[0097] Network access controller 515 may be coupled to one or more networks, such as a public network (e.g., the Internet) or a private network (e.g., an enterprise network). In one embodiment, network access controller 515 may receive encapsulated packets from packet forwarding component 520 via a tunnel between network access controller 515 and packet forwarding component 520. Network access controller 515 may decapsulate, unpack, etc., the encapsulated packets to obtain data packets (e.g., Layer 2 packets) sent by client device 540 to access point 530. Network access controller 515 may analyze one or more of the encapsulated packets or data packets to identify network policies (e.g., network policies for users, group policies for user groups, etc.). For example, as discussed in more detail below, network access controller may identify the source MAC address (which may be the MAC address of client device 540) to identify the network policy or group policy associated with the client device 540 that sent the data packet. As discussed in more detail below, network access controller 515 may determine whether, when, and how to forward data packets to one or more networks (e.g., the Internet) based on data policies or group policies.

[0098] As described above, adding additional packet forwarding components to a system architecture that uses Layer 2 packets may lead to more difficulties, problems, and challenges for the system architecture. For example, the system architecture may find it more difficult to forward or route Layer 2 packets to different network access controllers 515. Additionally, more expensive network devices may be used to interconnect access point 130, packet forwarding component 120, and network access controller 115, so that the network devices store the MAC addresses of many or all client devices 140 in the system architecture.

[0099] In some embodiments, system architecture 500 encapsulates packets instead of Layer 2 packets for communication (e.g., sending or receiving) between access point 130, packet forwarding component 120, and network access controller 115. This allows network devices interconnecting access point 130, packet forwarding component 120, and network access controller 115 to store fewer MAC addresses in their forwarding tables because the MAC address of client device 540 is not exposed to network devices. Alternatively, the MAC addresses of access point 130, packet forwarding component 120, and network access controller 115 can be used in encapsulated packets (e.g., Layer 3 packets). The total number of MAC addresses of access point 130, packet forwarding component 120, and network access controller 115 can be much smaller than the total number of MAC addresses of client device 540. Tunneling device 560 can allow system architecture 500 to use encapsulated packets by encapsulating data packets received from client device 540 (e.g., Layer 2 packets).

[0100] In other embodiments, system architecture 500 can more easily route encapsulated packets between access point 130, packet forwarding component 120, and network access controller 115. Because the encapsulated packets reside at a higher layer than data packets (which are at the data link layer or layer 2) (e.g., at the network layer or layer 3), system architecture 500 can use Internet Protocol (IP) layer routing protocols, standards, technologies, methods, operations, etc., to route encapsulated packets between access point 130, packet forwarding component 120, and network access controller 115. For example, if multiple paths exist through network devices interconnecting access point 130, packet forwarding component 120, and network access controller 115, and one of the network devices is inoperable (e.g., crashed, failed, or otherwise unavailable), the encapsulated packets can be rerouted through other paths using IP routing protocols. This allows system architecture 500 to have greater fault tolerance and recover from errors more quickly or efficiently.

[0101] While this invention may relate to Wi-Fi, other types of communication protocols, access technologies, and infrastructure can be used. For example, instead of using a Wi-Fi network, a gigabit passive optical network (GPON) can be used. In another example, an Ethernet network can be used. For example, any protocol, access technology, or infrastructure that can be used to forward the MAC address of a client device to the network access controller 515 can be used.

[0102] Additionally, although the present invention may describe packets sent from client device 540 to network controller 515, packets can also be sent from network access controller 515 to client device 540. For example, after a packet is sent from client device 540 to network controller 515, network access controller 515 can know the IP address already assigned to client device 540 (e.g., network access controller 515 can assign an IP address to client device 540). Network access controller 515 can also know the MAC address of client device 540. Network access controller 515 can store the association between client device IP address and MAC address in a table such as an ARP table or a similar table. This allows network access controller 515 to determine the IP address of client device 540 based on client device 540's MAC address without using ARP broadcast.

[0103] In one embodiment, system architecture 500 can provide low-cost broadband service to millions of users, homes, and businesses. System architecture 500 can be scaled to aggregate speeds of hundreds of gigabits or terabits per second. For example, as different types of access technologies or protocols are developed (e.g., fifth-generation (5G) protocols, sixth-generation (6G) protocols, etc.), access point 530 can be replaced with different access points supporting newer access technologies. Additionally, the system architecture permits the integration of thousands, hundreds, or even thousands of Wi-Fi access points (or other types of access points), each with different antenna configurations and from different vendors. This allows the system architecture to be used with all types of access points, from high-end access points with more features to low-end access points. System architecture 500 can be able to provide a variety of solutions for providing network access using access technologies, ranging from long-range Wi-Fi for rural areas, fiber-to-the-home (FTTH) or GPON for more developed urban areas, to enterprise-grade access points for businesses or corporations. By using Layer 2 or Layer 3 protocols and by using lower-cost access points (e.g., by using Wi-Fi access points instead of cell towers), System Architecture 500 is able to provide low-cost and high-performance broadband services (e.g., providing network access) to millions of users or homes. For example, System Architecture 500 could be able to deploy outdoor Wi-Fi access points to cover millions of homes at a cost that is 1 / 30th of the cost of an LTE network with similar capabilities.

[0104] Figure 6This is a block diagram illustrating an exemplary system architecture 600 according to some embodiments of the present invention. System architecture 600 includes a server system 510 and a tunneling device 560. The server system 510, authentication server 550, and tunneling device 560 may be interconnected or coupled to each other (e.g., communicatively coupled) via one or more networks. The server system 510 includes a network access controller 515 and a packet forwarding component 520. The network access controller 515 and packet forwarding component 520 may also be interconnected or coupled via one or more networks. One or more networks can transmit communication (e.g., messages, packets, frames, etc.) between the server system 510 and the tunneling device 560. Each tunneling device may be coupled to one or more access points (e.g., Figure 5 The access points shown in the figure), and each access point can be coupled to one or more client devices (e.g., Figure 5 (The client device shown). Server system 510 may be located in one or more data centers or cloud computing architectures (e.g., the cloud) that include multiple computing devices (such as server computers). Network access controller 515, packet forwarding component 520, and tunneling device 560 may each be one or more computing devices, VMs, or containers.

[0105] As described above, tunneling device 560 can be coupled to one or more access points. Each tunneling device 560 can be coupled to access points within a geographical location. Each tunneling device 560 can be coupled to one or more access points via a Layer 2 connection or via a data link layer connection. For example, each tunneling device 560 can receive Layer 2 packets from the access points. Tunneling device 560 can receive Layer 2 packets (e.g., data packets) from a set of access points and can encapsulate these packets to generate encapsulated packets (e.g., Layer 3 packets). The encapsulated packets can be higher-layer packets (e.g., Layer 3 or network layer packets), and the payload of the encapsulated packets can include lower-layer packets (e.g., Layer 2 or data link layer packets).

[0106] Each tunneling device 560 can be coupled to the packet forwarding component 520 via tunnel 680. As described above, tunnel 680 can be a communication channel for communicating encapsulated packets (e.g., a GRE tunnel, L2TP tunnel, etc.). Each tunnel 680 is coupled at one end to tunneling device 560 and at the other end to an endpoint 622 on packet forwarding component 520. Endpoint 622 can be referred to as a tunnel endpoint. As described above, tunnel 680 allows tunneling device 560 to more easily reconnect to different packet forwarding components 520. Tunnel 680 can be used to communicate encapsulated packets (e.g., Layer 3 packets, encapsulated Layer 2 packets, etc.) between tunneling device 560 and packet forwarding component 520. Although only one tunnel 680 is shown between tunneling device 560 and packet forwarding component 520, tunneling device 680 can be coupled to multiple packet forwarding components 520 via multiple tunnels. This allows tunneling device 680 to switch packet forwarding components 520 more quickly. For example, instead of establishing a new tunnel 680 with the second packet forwarding component 520 when the first packet forwarding component 520 fails, the tunneling device 680 can use two tunnels and switch between the two tunnels when the packet forwarding component 520 fails.

[0107] In one embodiment, packet forwarding component 520 performs load balancing for server system 510 by forwarding packets from different client devices to different network access controllers 515. In another embodiment, as discussed in more detail below, packet forwarding component 520 may forward packets to the same network access controller 515, regardless of which access point the client device is connected to. As mentioned above, packet forwarding component 520 may determine which network access controller 515 to forward packets to based on the NAC table. In another embodiment, packet forwarding component 520 may also allow network access controllers 515 to be added to or removed from system architecture 500.

[0108] Each packet forwarding component 520 is coupled to one or more network access controllers 515 via a tunnel 690 (e.g., a GRE tunnel, VPN tunnel, L2TP tunnel, etc.). Each tunnel 690 can be a communication channel (e.g., a GRE tunnel, L2TP tunnel, etc.) for communicating encapsulated packets. Each tunnel 690 is coupled to the network access controller 515 at endpoint 616 and to the packet forwarding component 520 at endpoint 621. Endpoints 621 and 622 can be referred to as tunnel endpoints. Tunnel 690 allows the packet forwarding component 520 to more easily reconnect to different network access controllers 515. Tunnel 690 can be used to communicate encapsulated packets (e.g., Layer 3 packets, encapsulated Layer 2 packets, etc.) between the packet forwarding component 520 and the network access controller.

[0109] In one embodiment, packet forwarding component 520 may forward encapsulated packets to one of network access controllers 515. Packet forwarding component 520 may access a NAC table to determine which of the network access controllers 515 should receive the encapsulated packets. The NAC table may include data indicating associations between one or more of a user identifier, a client device's MAC address, and the MAC address of a network access controller 515. These associations may indicate which network access controller 515 should be used for a particular client device or user. Packet forwarding component 520 may obtain the NAC table or may update the NAC table using various other methods, functions, operations, techniques, etc. The NAC table or packet forwarding component 520 may associate different client devices with different network access controllers 515 based on the geographic region of the client device. The NAC table or packet forwarding component 520 may also associate different client devices with different network access controllers 515 based on different subscriptions or network plans.

[0110] The packet forwarding component 520 can update or modify the destination MAC address of a packet from the default network access controller's MAC address to the appropriate network access controller 515 associated with the client device's MAC address, based on the NAC table. The packet forwarding component 520 can then forward the packet to the network access controller 515 associated with the client device's MAC address.

[0111] In one embodiment, packet forwarding component 520 may forward or send encapsulated packets to network access controller 515 identified or selected based on an NAC table. Packet forwarding component 520 may send encapsulated packets to the identified network access controller 515 via various tunnels 690 between packet forwarding component 520 and the identified network access controller 515. As discussed in more detail below, packet forwarding component 520 may forward packets from client devices to the same network access controller 515, regardless of which access point the client device is connected to.

[0112] In one embodiment, network access controller 515 can perform various functions, actions, operations, etc., related to providing a client device with access to one or more networks (e.g., the Internet, etc.). Network access controller 515 can authenticate or authorize a client device before providing access to one or more networks. In another embodiment, network access controller 515 can provide network policy processing or enforcement functions (e.g., enforcing maximum download speeds, enforcing data limits, etc.). For example, network access controller 515 can allow a client device to send or receive packets based on network policies, group policies, etc. As described above, group policies can be associated with a group of client devices on a group subscription plan (e.g., a group of client devices sharing the same subscription plan). Group policies can be used to control download speeds, time limits, etc., for multiple users registered in a group subscription plan (e.g., Internet access subscription plan, family plan, sharing plan, etc.). Packets from client devices in a group subscription plan can be forwarded to the same network access controller 515, regardless of which access point the client device is connected to. The same network access controller 515 can use group policies to enforce network policies on that group of client devices. Customer devices or users that are part of the same group can be associated with the same network access controller 515 in the NAC table.

[0113] Network access controller 515 may be coupled to one or more networks, such as a public network (e.g., the Internet) or a private network (e.g., an enterprise network). In one embodiment, network access controller 515 may receive encapsulated packets from packet forwarding component 520 via a tunnel between network access controller 515 and packet forwarding component 520. Network access controller 515 may decapsulate, unpack, etc., the encapsulated packets to obtain data packets (e.g., Layer 2 packets) sent by a client device to the access point. Network access controller 515 may analyze one or more of the encapsulated packets or data packets to identify network policies (e.g., network policies for users, group policies for user groups, etc.). For example, network access controller may identify the source MAC address (which may be the MAC address of a client device) to identify the network policy or group policy associated with the client device that sent the data packet. As discussed in more detail below, network access controller 515 may determine whether, when, and how to forward data packets to one or more networks (e.g., the Internet) based on data policies or group policies.

[0114] In one embodiment, each network access controller 515 can also be a user port isolation group. Different endpoints 622 and 621 of each network access controller 515 can be grouped into different port isolation groups. For example, endpoint 621 can be in a first port isolation group, while endpoint 622 can be in a second port isolation group.

[0115] In one embodiment, endpoints within a port isolation group may not be able to forward packets between each other. For example, packets are not allowed to travel from a first endpoint 622 of packet forwarding component 520 to a second endpoint 622 of the same packet forwarding component 520. This helps prevent packets from looping through packet forwarding component 520 and bypassing network access controller 515. This also prevents packets from flooding through server system 510. For example, the system architecture may use Address Resolution Protocol (ARP) packets to map IP addresses to MAC addresses. If ARP packets are allowed to be forwarded between endpoints 621 on packet forwarding component 520, this could allow ARP packets to continuously loop or flood through server system 510. Additionally, port isolation groups can prevent packet flutter. Flutter can occur when client device 540 is rapidly switching between different packet forwarding components 520 because packets from client device 540 are looping through server system 510. In another embodiment, endpoints in different port isolation groups may be able to forward packets between each other. For example, endpoint 621 (which is part of a first port isolation group) may be able to forward packets to endpoint 622 (which is part of a second port isolation group).

[0116] As described above, system architecture 600 can use encapsulated packets (e.g., Layer 3 packets, IP packets) between access point 130, packet forwarding component 120, and network access controller 115. System architecture 600 can use Internet Protocol (IP) layer routing protocols, standards, technologies, methods, operations, etc., to route encapsulated packets between access point 130, packet forwarding component 120, and network access controller 115. This allows system architecture 500 to have higher fault tolerance and be able to recover from errors faster or more efficiently. In addition, using a tunneling device to generate encapsulated packets allows server system 510 to add additional packet forwarding component 520 to server system 510 faster, easier, and more efficiently.

[0117] Figure 7 This is a flowchart of a packet forwarding method 700 according to some embodiments of the present invention. Method 700 may be performed by processing logic that may include hardware (e.g., circuitry, dedicated logic, programmable logic, processor, processing device, central processing unit, system-on-a-chip (SoC), etc.), software (e.g., instructions running / executable on the processing device), firmware (e.g., microcode), or a combination thereof. In some embodiments, method 700 may be performed by one or more of a packet forwarding component, a network access controller, a tunneling device, an access point, and / or a computing device.

[0118] Method 700 begins at box 705, where method 700 can establish a first tunnel with the tunneling device. For example... Figure 6As shown, a tunnel can exist between a tunneling device and a packet forwarding component. At block 710, method 700 establishes a set of tunnels with multiple network access controllers. For example, as... Figure 6 As shown, method 700 can establish tunnels between each network access controller and the packet forwarding component. At block 715, method 700 can receive encapsulated packets from the tunneling device via the first tunnel. As described above, the encapsulated packet can be a Layer 3 packet. The encapsulated packet can include data packets (e.g., data link layer packets, Layer 2 packets, etc.) received by the access point from the client device and encapsulated by the tunneling device.

[0119] At block 720, method 700 can identify a first network access controller from a plurality of network access controllers. For example, method 700 can identify the source MAC address in the encapsulated packet (e.g., the MAC address of the client device to which the packet is sent to the access point). Method 700 can access a NAC table to identify the network access controller and the MAC address of the first network access controller associated with the MAC address of the client device based on the table.

[0120] At box 725, method 700 may forward the encapsulated packet to the first network access controller. For example, method 700 may update the destination MAC address in the encapsulated packet from the default network access controller's MAC address to the MAC address of the first network access controller (which is associated with the client device).

[0121] Figure 8 This is a block diagram illustrating an exemplary system architecture 800 according to some embodiments of the present invention. System architecture 800 includes a server system 510 and a tunneling device 560. The server system 510 and tunneling device 560 may be interconnected or coupled to each other (e.g., communicatively coupled) via one or more networks. The server system 510 includes a network access controller 515 and a packet forwarding component 520. The network access controller 515 and packet forwarding component 520 may also be interconnected or coupled via one or more networks. Each tunneling device 560 may be coupled to one or more access points 530, and each access point may be coupled to one or more client devices. The network access controller 515, packet forwarding component 520, and tunneling device 560 may each be one or more of a computing device, a VM, or a container.

[0122] In some embodiments, server system 510 may function, operate, or function as a router. For example, server system 510 may operate as a home router, cable modem, DSL modem, or some other CPE. That is, as discussed in more detail below, server system 510 may operate as a virtual router located in a cloud or data center.

[0123] As described above, tunneling device 560 can be coupled to one or more access points 530 within a geographical location. Each tunneling device 560 can be coupled to one or more access points 530 via a Layer 2 connection or via a data link layer connection. Tunneling device 560 can receive Layer 2 packets (e.g., data packets) from the set of access points and can encapsulate these packets to generate encapsulated packets (e.g., Layer 3 packets). The encapsulated packets can be higher-layer packets, and the payload of the encapsulated packets can include lower-layer packets. Each tunneling device 560 can be coupled to packet forwarding component 520 via a tunnel. The tunnel can be used to communicate encapsulated packets (e.g., Layer 3 packets, encapsulated Layer 2 packets, etc.) between tunneling device 560 and packet forwarding component 520.

[0124] In one embodiment, packet forwarding component 520 performs load balancing for server system 510 by forwarding packets from different client devices to different network access controllers 515. As described above, packet forwarding component 520 can determine which network access controller 515 to forward packets to based on a NAC table. The NAC table may include data indicating associations between one or more of a user identifier, the MAC address of a client device, and the MAC address of a network access controller 515. These associations can indicate which network access controller 515 should be used for a particular client device or user. Packet forwarding component 520 can update or modify the destination MAC address of packets from the default network access controller's MAC address to the appropriate network access controller 515 associated with the client device's MAC address based on the NAC table.

[0125] Each packet forwarding component 520 is coupled to one or more network access controllers 515 via a tunnel (e.g., a GRE tunnel, VPN tunnel, L2TP tunnel, etc.). The tunnel allows the packet forwarding component 520 to more easily reconnect to different network access controllers 515. The tunnel can be used to encapsulate packets (e.g., Layer 3 packets, encapsulated Layer 2 packets, etc.) for communication between the packet forwarding component 520 and the network access controller.

[0126] In one embodiment, network access controller 515 can perform various functions, actions, operations, etc., related to providing a client device with access to one or more networks (e.g., the Internet). For example, network access controller 515 can authenticate or authorize a client device before providing access to one or more networks to the client device.

[0127] Network access controller 515 can be coupled to one or more networks, such as a public network (e.g., the Internet) or a private network (e.g., a corporate network). Network access controller 515 can allow client devices to communicate with one or more networks via network access controller 515. For example, network access controller 515 can allow client devices to send packets to and receive packets from the Internet via network access controller 515.

[0128] In another embodiment, network access controller 515 may provide network policy processing or enforcement functions (e.g., enforcing maximum download speeds, enforcing data limits, etc.). For example, network access controller 515 may allow client devices to send or receive packets based on network policies. As described above, the NAC table of packet forwarding component 520 may be configured such that packets from client devices are forwarded by packet forwarding component 520 to the same network access controller 515. This helps ensure that the same network access controller 515 is used to enforce network policies on packets sent or received by client devices. This also makes it easier for network access controller 515 to enforce network policies because network access controller 515 does not need to cooperate with other network access controllers 515 to enforce network policies.

[0129] Network access controller 515 can also implement group policies. A group policy can be a network policy associated with a group of client devices (e.g., client devices 840A and 840B). A group of client devices may use a group subscription plan (e.g., the group of client devices may share the same subscription plan). Group policies can be used to control download speeds, time limits, etc., of multiple client devices or users registered in a group subscription plan (e.g., Internet access subscription plan, home plan, sharing plan, etc.). The NAC table on packet forwarding component 520 can be configured such that packets from client devices registered in or part of a group subscription plan are forwarded by packet forwarding component 520 to the same network access controller 515.

[0130] For example, such as Figure 8As shown, client devices 840A and 840B can be part of a group subscription plan, and the NAC table in packet forwarding component 520 can indicate that packets or data from client devices 840A and 840B should be forwarded to the leftmost network access controller 515. Therefore, group policies (e.g., network policies applied to multiple client devices in a group subscription plan) can be implemented or applied to client devices 840A and 840B. Group policies can indicate one or more of the following: maximum bandwidth (e.g., maximum throughput, maximum download speed), data limits (e.g., the amount of data that can be downloaded), time limits (e.g., the amount of time a client device can be online or communicating packets with the network). Because the NAC table in packet forwarding component 520 can forward all packets from client devices 840A and 840B to the leftmost network access controller 515 (e.g., the same network access controller), the leftmost network access controller 515 can more easily implement or apply group policies. For example, the leftmost network access controller 515 may not cooperate with other network access controllers 515 to implement or apply group policies because the other network access controllers do not process packets from client devices 840A and 840B.

[0131] In one embodiment, as a client device moves (e.g., traverses) from one access point 530 to another, the network access controller 515 can apply or enforce network policies on the client device. For example, client device 840A might use the leftmost access point 530, which could be located in a first city. Later, client device 840A might move to a second city and use an intermediate access point 530, which could be located in the second city. The NAC table of the packet forwarding component can be configured to forward packets from client device 840 to the leftmost access point 530, regardless of whether client device 840 uses the leftmost access point 530, an intermediate access point 530, or another access point. This allows server system 510 to operate as a virtual or virtualized router that provides access to one or more networks (e.g., the Internet) and is capable of enforcing network policies on client devices.

[0132] In one embodiment, when a client device (in a group subscription plan) moves from one access point 530 to another, the network access controller 515 can apply or enforce group policies on client devices (e.g., client devices 840A and 840B) that are part of a group subscription plan. For example, the group subscription plan may indicate the maximum bandwidth that can be shared by client devices within the group subscription plan. Figure 8As shown, client device 840A can connect to intermediate access point 530, and client device 840B can connect to the rightmost access point 530. Since all packets communicating with client devices 840A and 840B pass through the leftmost network access controller 515, the leftmost network access controller 515 can enforce maximum bandwidth on both client devices 840A and 840B. For example, group subscription can instruct client devices 840A and 840B to share a maximum bandwidth of 100 megabits per second (Mbps). The leftmost network access controller 515 can allow client device 840A to use 50 Mbps of bandwidth, and can also allow client device 840B to use 50 Mbps of bandwidth. In other examples, the leftmost network access controller 515 can allocate 100 Mbps of bandwidth between client devices 840A and 840B, such that the total bandwidth used by client devices 840A and 840B does not exceed 100 Mbps.

[0133] In one embodiment, the leftmost network access controller 515 may be able to apply these bandwidth limits to client devices 840A and 840B regardless of which access point they use, because all packets communicating between client devices 840A and 840B pass through the leftmost network access controller 515 (e.g., due to how the NAC table on packet forwarding component 520 is set or configured). This allows server system 510 to operate as a virtual or virtualized router that provides access to one or more networks (e.g., the Internet) and is able to enforce network policies on client devices in a group subscription. For example, a cable modem or router may enforce maximum bandwidth on client devices coupled to a cable modem or router. All devices coupled to a cable modem or router may share the maximum bandwidth. Server system 510 allows system architecture 800 to emulate or operate as a router (e.g., as a virtual or virtualized router) and enforce maximum bandwidth (e.g., network policies) on client devices 840A and 840B.

[0134] Figure 9 This is a flowchart of a packet forwarding method 900 according to some embodiments. Method 900 may be performed by processing logic that may include hardware (e.g., circuitry, dedicated logic, programmable logic, processor, processing device, central processing unit, system-on-a-chip (SoC), etc.), software (e.g., instructions running / executable on the processing device), firmware (e.g., microcode), or a combination thereof. In some embodiments, method 900 may be performed by one or more of a packet forwarding component, a network access controller, a tunneling device, an access point, and / or a computing device.

[0135] Method 900 begins at box 905, where it establishes a tunnel between the packet forwarding component and the tunneling device, such as... Figure 6 As shown. At box 910, method 900 can establish a tunnel between the packet forwarding component and the network access controller, as... Figure 6 As shown. At block 915, method 900 can receive packets from the client device and forward the packets to the tunneling device. For example, the access point can receive data packets (e.g., Layer 2 packets) from the client device and forward the data packets to the tunneling device. At block 920, the tunneling device can receive data packets from the access point and can generate encapsulated packets (e.g., Layer 3 packets). The tunneling device can also forward the encapsulated packets to a packet forwarding component.

[0136] At block 925, method 900 can receive packets from the tunneling device and forward them to the network access controller. For example, a packet forwarding component can receive encapsulated packets from the tunneling device and forward them to the network access controller based on the NAC table. At block 930, when a client device moves between different access points, method 900 can enforce one or more network policies on the client device. For the network access controller, as described above, when a client device moves between different access points, network policies can be enforced on client devices in a group subscription.

[0137] Figure 10 This is a block diagram of an exemplary computing device 1000 capable of performing one or more of the operations described herein, according to some embodiments. The computing device 1000 may be connected to other computing devices in a LAN, intranet, extranet, and / or the Internet. The computing device may operate within the capacity of a server machine in a client-server network environment or within the capacity of a client in a peer-to-peer network environment. The computing device may be provided by a personal computer (PC), set-top box (STB), server, network router, switch, or bridge, or any machine capable of executing a set of instructions (sequentially or otherwise) specifying actions to be taken by the machine. Furthermore, although only a single computing device is shown, the term "computing device" should also be considered to include any collection of computing devices that individually or collectively execute a set of instructions (or multiple sets of instructions) to perform the methods described herein. In some embodiments, the computing device 1000 may be one or more of an access point and packet forwarding components.

[0138] An exemplary computing device 1000 may include a processing device (e.g., a general-purpose processor, PLD, etc.) 1002, a main memory 1004 (e.g., synchronous dynamic random access memory (DRAM), read-only memory (ROM)), and a static memory 1006 (e.g., flash memory and data storage device 1018), which may communicate with each other via a bus 1030.

[0139] Processing device 1002 may be provided by one or more general-purpose processing devices such as microprocessors or central processing units. In illustrative examples, processing device 1002 may include a Complex Instruction Set Computing (CISC) microprocessor, a Reduced Instruction Set Computing (RISC) microprocessor, a Very Long Instruction Word (VLIW) microprocessor, or a processor implementing other instruction sets or combinations of instruction sets. Processing device 1002 may also include one or more special-purpose processing devices, such as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), or network processors. Processing device 1002 may be configured to perform the operations described herein according to one or more aspects of the present invention for performing the operations and steps described herein.

[0140] The computing device 1000 may further include a network interface device 1008 capable of communicating with the network 1020. The computing device 1000 may also include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse), and a sound signal generation device 1016 (e.g., a speaker). In one embodiment, the video display unit 1010, the alphanumeric input device 1012, and the cursor control device 1014 may be combined into a single component or device (e.g., an LCD touchscreen).

[0141] Data storage device 1018 may include computer-readable storage medium 1028, on which one or more sets of instructions, such as instructions for performing the operations described herein, may be stored according to one or more aspects of the invention. Instructions 1026 implementing one or more of the packet forwarding component, network access controller, tunneling device, and access point may also reside wholly or at least partially in main memory 1004 and / or processing device 1002 during execution by computing device 1000, main memory 1004, and processing device 1002, which also constitute computer-readable media. Instructions may also be transmitted or received on network 1020 via network interface device 1008.

[0142] Although computer-readable storage medium 1028 is shown as a single medium in the illustrative example, the term "computer-readable storage medium" should be considered to include a single medium or multiple media (e.g., a centralized or distributed database and / or associated caches and servers) that store one or more sets of instructions. The term "computer-readable storage medium" should also be considered to include any medium capable of storing, encoding, or carrying a set of instructions executable by a machine and enabling the machine to perform the methods described herein. Therefore, the term "computer-readable storage medium" should be considered to include, but is not limited to, solid-state memory, optical media, and magnetic media.

[0143] Unless otherwise expressly stated, terms such as “receive,” “generate,” “identify,” “implement,” “forward,” “determine,” “allocate,” “establish,” or “update” refer to actions and processes performed or implemented by a computing device that manipulate and convert data represented as physical (electronic) quantities in the registers and memory of the computing device into other data similarly represented as physical quantities in the memory or registers of the computing device or other such information storage, transmission, or display devices. Furthermore, terms such as “first,” “second,” “third,” “fourth,” etc., as used herein, refer to labels used to distinguish different elements and do not necessarily have a meaning based on the numerical order specified therein.

[0144] The examples described herein also relate to devices for performing the operations described herein. These devices may be specifically constructed for the desired purpose, or they may include general-purpose computing devices selectively programmed by computer programs stored in computing devices. Such computer programs may be stored in computer-readable, non-transitory storage media.

[0145] The methods and illustrative examples described herein are not inherently related to any particular computer or other device. Various general-purpose systems can be used based on the teachings described herein, or it can be demonstrated that constructing more specialized devices to perform the required methodological steps is convenient. The necessary structures for various such systems will be as presented in the above description.

[0146] The above description is intended to be illustrative and not restrictive. Although the invention has been described with reference to specific illustrative examples, it will be appreciated that the invention is not limited to the described examples. The scope of the invention should be determined by reference to the appended claims and the full range of their equivalents.

[0147] As used herein, unless the context clearly indicates otherwise, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well. It is further understood that the terms “comprising,” “including,” “having,” and / or “containing,” when used herein, specify the presence of the stated feature, integer, step, operation, element, and / or component, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. Therefore, the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting.

[0148] It should also be noted that in some alternative implementations, the functions / actions described may not occur in the order shown in the figures. For example, the two figures shown successively may actually be executed substantially simultaneously, or sometimes in reverse order, depending on the functions / actions involved.

[0149] Although the method operations are described in a specific order, it should be understood that other operations may be performed between the described operations, the described operations may be adjusted so that they occur at slightly different times, or the described operations may be distributed across a system that allows processing operations to occur at various intervals associated with the processing.

[0150] Various units, circuits, or other components may be described or claimed to be "configured to" or "configurable to" perform one or more tasks. In such a context, the phrase "configured to" or "configurable to" is used to indicate a structure by indicating that the unit / circuit / component includes a structure (e.g., a circuit) that performs one or more tasks during operation. Thus, even when the specified unit / circuit / component is not currently in operation (e.g., not switched on), it can be said that the unit / circuit / component is configured to perform a task or can be configured to perform a task. Units / circuit / components used with the language "configured to" or "configurable to" include hardware—e.g., circuits, memory storing program instructions that can be executed to perform operations, etc. Describing a unit / circuit / component as "configured to" or "configurable to" perform one or more tasks is explicitly intended to avoid invoking paragraph 6 of 35U.SC112 for that unit / circuit / component. Additionally, "configured to" or "can be configured to" can include a general-purpose structure (e.g., a general-purpose circuit) manipulated by software and / or firmware (e.g., an FPGA or general-purpose processor executing the software) to operate in a manner capable of performing the described tasks. "Configured to" can also include adjusting the fabrication process (e.g., a semiconductor manufacturing facility) to manufacture means (e.g., an integrated circuit) suitable for implementing or performing one or more tasks. "Can be configured to" is explicitly intended not to be applied to blank media, unprogrammed processors or unprogrammed general-purpose computers, or unprogrammed programmable logic devices, programmable gate arrays, or other unprogrammed devices, unless accompanied by a programming medium that endows the unprogrammed device with the ability to be configured to perform the disclosed functions.

[0151] For illustrative purposes, the above description has been given with reference to specific embodiments. However, the illustrative discussion above is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in light of the above teachings. The embodiments were chosen and described in order to best explain the principles of the embodiments and their practical application, thereby enabling others skilled in the art to best utilize the embodiments and various modifications that may be adapted to the particular uses contemplated. Therefore, these embodiments are to be considered illustrative rather than restrictive, and the invention is not limited to the details given herein, but may be modified within the scope of the appended claims and their equivalents.

[0152] Cross-references to related applications

[0153] This application claims the benefit of U.S. Provisional Patent Application No. 62 / 720,710, filed August 21, 2018, and U.S. Non-Provisional Patent Application No. 16 / 546,075, filed August 20, 2019. The disclosures of the above applications are incorporated herein by reference in their entirety.

Claims

1. A network access controller, comprising: A memory used to store data; as well as A processing device coupled to the memory, the processing device being used for: Receive a set of encapsulated packets from the packet forwarding component set; as well as When a set of client devices moves between a group of access points, one or more network policies are implemented for the set of client devices, wherein: The network access controller is one of a plurality of network access controllers; When a set of client devices moves between the set of access points, each of the plurality of network access controllers implements a network policy for the set of client devices. as well as The network access controller communicates data with the client device set via the packet forwarding component set and the tunnel device set.

2. The network access controller according to claim 1, wherein: The network access controller is coupled to the packet forwarding component set via a first tunnel set; The packet forwarding component set is coupled to the tunnel device set via a second tunnel set; as well as The tunnel device assembly is coupled to the set of access points.

3. The network access controller according to claim 1, wherein: The set of access points receives data packets from the set of client devices; The tunnel device set generates encapsulation packets based on data packets received by the set of access points; as well as The packet forwarding component set receives the encapsulated packet from the tunnel device set and forwards the encapsulated packet.

4. The network access controller according to claim 1, wherein: When the first client device moves between the set of access points, the packet forwarding component set will forward only the encapsulated packet set generated based on the data packet set from the first client device to the network access controller.

5. The network access controller according to claim 1, wherein: The first and second customer devices are associated with group policies; Receive the first encapsulated packet set from the packet forwarding component set; The first set of encapsulated packets is generated by the packet forwarding component set based on the first set of data packets from the first client device when the first client device moves between the set of access points; Receive the second encapsulated packet set from the packet forwarding component set; as well as The second set of encapsulated packets is generated by the packet forwarding component set based on the second set of data packets from the second client device when the second client device moves between the set of access points.

6. The network access controller according to claim 5, wherein, The processing device is also used for: The first client device and the second client device are identified as being associated with the group policy. Based on the group policy, the first network bandwidth is allocated to the first client device; as well as The second network bandwidth is allocated to the second client device based on the group policy.

7. The network access controller according to claim 6, wherein: The group policy indicates the total network bandwidth; and The sum of the first network bandwidth and the second network bandwidth is less than or equal to the total network bandwidth.

8. The network access controller according to claim 1, wherein, The network access controller is identified by one or more packet forwarding components in the set of packet forwarding components based on mapping data used to associate the first MAC address of the network access controller with the second MAC address of the first client device.

9. The network access controller according to claim 1, wherein, The processing device is also used for: The package set is decapsulated to obtain a decapsulated package set; and The decapsulated packet set is forwarded to one or more networks.

10. The network access controller according to claim 1, wherein: The network access controller and at least one other network access controller are located within the data center; and At least two packet forwarding components in the packet forwarding component set are located within the data center.

11. A method comprising: The network access controller receives the encapsulated packet set from the packet forwarding component set; as well as When a set of client devices moves between a group of access points, the network access controller implements one or more network policies for the set of client devices, wherein: The network access controller is one of a plurality of network access controllers; When a set of client devices moves between the set of access points, each of the plurality of network access controllers implements a network policy for the set of client devices. as well as The network access controller communicates data with the client device set via the packet forwarding component set and the tunnel device set.

12. The method according to claim 11, wherein: The network access controller is coupled to the packet forwarding component set via a first tunnel set; The packet forwarding component set is coupled to the tunnel device set via a second tunnel set; as well as The tunnel device assembly is coupled to the set of access points.

13. The method according to claim 11, wherein: The set of access points receives data packets from the set of client devices; The tunnel device set generates encapsulation packets based on data packets received by the set of access points; as well as The packet forwarding component set receives the encapsulated packet from the tunnel device set and forwards the encapsulated packet.

14. The method of claim 11, wherein: When the first client device moves between the set of access points, the packet forwarding component set will forward only the encapsulated packet set generated based on the data packet set from the first client device to the network access controller.

15. The method according to claim 11, wherein: The first and second customer devices are associated with group policies; Receive the first encapsulated packet set from the packet forwarding component set; The first set of encapsulated packets is generated by the packet forwarding component set based on the first set of data packets from the first client device when the first client device moves between the set of access points; Receive the second encapsulated packet set from the packet forwarding component set; as well as The second set of encapsulated packets is generated by the packet forwarding component set based on the second set of data packets from the second client device when the second client device moves between the set of access points.

16. The method of claim 15, further comprising: The first client device and the second client device are identified as being associated with the group policy. Based on the group policy, the first network bandwidth is allocated to the first client device; as well as The second network bandwidth is allocated to the second client device based on the group policy.

17. The method of claim 16, wherein: The group policy indicates the total network bandwidth; and The sum of the first network bandwidth and the second network bandwidth is less than or equal to the total network bandwidth.

18. The method according to claim 11, wherein, The network access controller is identified by one or more packet forwarding components in the set of packet forwarding components based on mapping data used to associate the first MAC address of the network access controller with the second MAC address of the first client device.

19. The method of claim 11, further comprising: The package set is depackaged to obtain a depackaged package set; as well as The decapsulated packet set is forwarded to one or more networks.

20. The method of claim 11, wherein: The network access controller and at least one other network access controller are located within the data center; and At least two packet forwarding components in the packet forwarding component set are located within the data center.